Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
We have a set of internal testers on our corporate network that are not on the domain (and getting them there is not a possibility for me as a dev). The use case is that a walk up kiosk type device is under test.
I'd like them to be able to submit bugs to a TFS repository without them having to authenticate at all, including entering their username.
Constraints (not questions)
We have a preexisting screenshot thickclient app with the TFS API that will fill in all applicable fields (type type 'what went wrong').
Obviously I don't want to embed a hardcoded username/password in this app.
I understand that this is allowed without a TFS CAL via the Stakeholder role; all the users and devices qualify.
I understand it's possible to wrap the TFS API with a web page and log errors as the web app's login. I'd like to avoid this as the point of not creating logins and registering testers and having them log on is to avoid the administrative costs and time extensions associated with that.
My biggest problem, I guess, is that the testing effort is pretty low budget!
Question: How to I Anonymously add a bug to TFS?
It doesn't support to create/add bugs in TFS without any authentication. No matter how you connect to TFS, from web access page, Visual Studio or using TFS API, it all needs authentication. To do some actions in TFS, it also need to give these accounts permissions. https://www.visualstudio.com/en-us/docs/setup-admin/tfs/admin/setup-ad-groups
In your scenario, those testers are in other domain, you could make the 2 domains trust each other and add their account to TFS. Or if you can't want to do so, you could create some local accounts on your TFS server for those testers. And add these accounts to TFS.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I am developing an Nodejs application and using AAD to secure an Azure function.
There would multiple Nodejs clients but I don't need to have a single user for each one of them (all the instances are should be treated as the same client).
How should I go about implementing this and is there any security concerns?
Edit
The protected resource is an Azure Function with a HTTP trigger.
I just want to limit the access to people who have the NodeJs client Installed. I don't want the user to enter his credentials. My question is which flow should I use and how should I go about that?
If you do not want to use the user's credentials, then please evaluate the Azure Active Directory v2.0 and the OAuth 2.0 client credentials flow.
This type of grant commonly is used for server-to-server interactions that must run in the background, without immediate interaction with a user.
While this advised solution may not look like an exact fit, you can use the admin consent and make this work for you. There are additional considerations like securing the credentials on each machine that you also have to look at.
in the client credentials flow, permissions are granted directly to the application itself. When the app presents a token to a resource, the resource enforces that the app itself has authorization to perform an action, and not that the user has authorization.
If this looks promising, then also look at the azure-activedirectory-library-for-nodejs to get you going.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
Is there a way where I can develop a Windows Azure locally without having to create a Windows Azure account?
The reason I'm asking is because I am creating a Web API using C# and a frontend technology (I haven't decided which one yet) and I want to use AAD for my authentication using my user's Microsoft account, and want to test it first if my use case is fit for it without having to subscribe to Azure first.
Thanks!
Based on my understanding, there are two things you want to accomplish:
Build/test a WebAPI using C#.
Use AAD to authenticate your users. Your users will sign in using their Microsoft account.
For #1, you really don't need an Azure account. You could simply create a WebApi application using Visual Studio and test it locally. If the intended backend database is SQL Server, then again you can test it locally by installing SQL Express.
For #2, again you don't need to have an Azure account unless your application does something related to Azure (for example, permission to execute Azure Resource Manager API on behalf of the user). If you simply want your users to sign in using their Microsoft account, you could create an application that uses Azure AD v2 endpoint. To create such application, all you need is a Microsoft account for yourself. You can read more about Azure AD v2 here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-appmodel-v2-overview.
You would need some place to host your application once you want folks other than you to test the application. At that time you would need an Azure account if you decide to host this application in Azure.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
I am doing Facebook integration to authenticate users and with my Ruby on Rails application. I've been going through tutorials available online and some SO posts.
I've come across some ways to do this, and most of them talk about what is explained in this post from last year. http://railscasts.com/episodes/360-facebook-authentication?view=asciicast
My questions are:
Can I do with just client side integration?
Why do I need server side integration?
What are the pros and cons of choosing one?
What are the benefits of doing both?
What is the best way to do Server side integration (which gem/gems)?
Can I do with just client side integration?
By Client side integration I'm assuming you are referencing simply using FB javascript widgets like the facebook like button (https://developers.facebook.com/docs/reference/plugins/like/). You can definitely do this, and it will not require your users to "authenticate" to your app at all (ie. go through the oAuth process of giving your app permission etc.) Instead, it will simply pop them to the facebook login page and post directly on their wall/like etc.
Why do I need server side integration?
As a continuation to the answer to the first question, sometimes you may want actually want the user to go through the oAuth process so that you can do other things server side. This may include (depending on what permissions you ask for) getting information like an email/picture, country/etc. of your user. Or perhaps it has to do with implementing a particular feature such as for example pulling friends of friends and seeing who is currently using your app.
What are the pros and cons of choosing one?
Both are acceptable ways of integration with FB, but using the JS widgets isn't really a login integration, its simply a redirection to FB for them to perform some action. If you really want to enable someone to "sign in with facebook" on your site, you will have to use server side integration (ie. oAuth)
This in turn means that after the oAuth process, you will have an "authentication" (ie. a token) that represents the user from FB tied to the actual "user" object in your server side database.
This is useful for many reasons, as outlined above. If you do not need to do complex things, but just want someone to be able to "Like" something, or "Share to wall" you may not need server side integration, but again as mentioned - if you do need "sign in with facebook" at all, it is definitely oAuth and will require the server side integration.
What are the benefits of doing both?
Lots to say here... but pretty much see above for answer, can go in to more detail if you have more specific questions.
What is the best way to do Server side integration (which gem/gems)?
It would depend upon which gem you are using for your authentication. Personally, I've had great success with the Devise Gem and its built in support for the Omniauth Gem. You can read more about that integration here: https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview
The question is a bit vague. If what you mean by integration is authentication then the answer is the only difference is that the client side version needs javascript to work, whereas the server side version doesn't(and implementation is slightly different).
The best way, in my opinion, to do any kind of facebook work in Rails is the Koala gem(which uses Omniauth). It's really well documented and it makes navigating the terrible FB API almost bearable.
Again, if what you asked about is authentication then there is no difference. With Koala/Omniauth you can extract user info from the cookie produced with the JS SDK, just as well as you do by using the server-side redirect based login.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 3 years ago.
Improve this question
So i'm creating an app that really only communicates with one other rails application besides for some remote touch screens. The app is only available to individuals who own one of these touch screens, and an admin. Therefore, I really don't see the point in being able to sign in with twitter, facebook, etc. However, I need SOME sort of http authentication using request/access tokens in order to 1. authenticate a user and 2. be able to derive what user is communicating with the server (and when). I've spent about a week (I'm a rails newb) researching Oauth, omniauth, etc, and I'm asking two things:
Because Im authenticating between my own two sets of apps, what gem would be best for my situation?
Where would I write the logic for request/access tokens?
I really can't find any good tutorials for this
If you don't need any kind of integration with existing identity providers, then Devise is all you need. It provides a simple way for you to manage user accounts, and users will login using their email addresses and passwords.
It gets trickier to authenticate against another app.
Method 1
If you don't need much communication between the two apps, you can have the user login to the main app, then generate a temporary token that the user can use in the secondary app. Finally, have the secondary app include this string in all communications with the main app. Real world examples include Pivotal Tracker, which gives users an API key that they can use in web hooks on GitHub.
Trivial Example
User goes to Main.com and logs in using email and password.
Main.com generates a temporary token for user.
User gives token to Sub.com.
Sub.com contacts Main.com using <user>:<token>#main.com/some/path?some=query
There are many security issues with this, but it's good enough for non-critical use cases. You might want to use SSL to protect the tokens.
Method 2
However, Method 1 is not very secure. A more robust and secure solution is to make the main app an OAuth provider, and then have the secondary app authenticate against the main app using OAuth. Here is a Railscast that explains how to do that with DoorKeeper. You can use OmniAuth in the secondary app.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
Does anyone know what would be the minimum rights I would need to grant to a domain user account in order to run a windows service as that user?
For simplicity, assume that the service does nothing over and above starting, stopping, and writing to the "Application" event log - i.e. no network access, no custom event logs etc.
I know I could use the built in Service and NetworkService accounts, but it's possible that I may not be able to use these due to network policies in place.
Two ways:
Edit the properties of the service and set the Log On user. The appropriate right will be automatically assigned.
Set it manually: Go to Administrative Tools -> Local Security Policy -> Local Policies -> User Rights Assignment. Edit the item "Log on as a service" and add your domain user there.
I do know that the account needs to have "Log on as a Service" privileges. Other than that, I'm not sure. A quick reference to Log on as a Service can be found here, and there is a lot of information of specific privileges here.
"BypassTraverseChecking" means that you can directly access any deep-level subdirectory even if you don't have all the intermediary access privileges to directories in between, i.e. all directories above it towards root level .
Thanks for the links, Chris. I've often wondered about the specific effects of privileges like "BypassTraverseChecking" but never bothered to look them up.
I was having interesting problems getting a service to run and discovered that it didn't have access to it's files after the initial installation had been done by the administrator. I was thinking it needed something in addition to Logon As A Service until I found the file issue.
Disabled simple file sharing.
Temporarily made my service account an administrator.
Used the service account to take ownership of the files.
Remove service account from the administrators group.
Reboot.
During Take Ownership, it was necessary to disable inheritance of permissions from the parent directories and apply permissions recursively down the tree.
Wasn't able to find a "give ownership" option to avoid making the service account an administrator temporarily, though.
Anyway, thought I'd post this in case anyone else was going down the same road I was looking for security policy issues when it was really just filesystem rights.